From b81bd33680ee7d886505783337e4f8ab89a27baf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 5 Jul 2017 11:26:10 +0100 Subject: [PATCH] Update the early_secret generation to use the new ticket_nonce field Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/3852) --- ssl/statem/extensions.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 494bb4c116..9e25a3ed64 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1234,9 +1234,11 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, EVP_MD_CTX *mctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; - unsigned char *early_secret; + unsigned char tmppsk[EVP_MAX_MD_SIZE]; + unsigned char *early_secret, *psk; const char resumption_label[] = "res binder"; const char external_label[] = "ext binder"; + const char nonce_label[] = "resumption"; const char *label; size_t bindersize, labelsize, hashsize = EVP_MD_size(md); int ret = -1; @@ -1249,6 +1251,28 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, labelsize = sizeof(resumption_label) - 1; } + if (sess->master_key_length != hashsize) { + SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK); + goto err; + } + + if (external) { + psk = sess->master_key; + } else { + if (sess->ext.tick_nonce == NULL) { + SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK); + goto err; + } + psk = tmppsk; + if (!tls13_hkdf_expand(s, md, sess->master_key, + (const unsigned char *)nonce_label, + sizeof(nonce_label) - 1, sess->ext.tick_nonce, + sess->ext.tick_nonce_len, psk, hashsize)) { + SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); + goto err; + } + } + /* * Generate the early_secret. On the server side we've selected a PSK to * resume with (internal or external) so we always do this. On the client @@ -1260,8 +1284,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, early_secret = (unsigned char *)s->early_secret; else early_secret = (unsigned char *)sess->early_secret; - if (!tls13_generate_secret(s, md, NULL, sess->master_key, - sess->master_key_length, early_secret)) { + if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) { SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); goto err; } -- 2.25.1